Both user ppp and pppd (the kernel level implementation of PPP)
use configuration files located in the /etc/ppp
directory.
The sample configuration files provided are a good reference for
user ppp, so don't delete them.
Configuring ppp requires that you edit a number of files, depending on your requirements. What you put in them depends to some extent on whether your ISP allocates IP addresses statically (i.e., you get given one IP address, and always use that one) or dynamically (i.e., your IP address can be different for each PPP session).
You will need to create a configuration file called
/etc/ppp/ppp.conf
. It should look similar to the example
below. Note that lines that end in a ``:'' start in the first column,
all other lines should be indented as shown using spaces or tabs.
1 default:
2 set device /dev/cuaa0
3 set speed 115200
4 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATE1Q0 OK-AT-OK
\\dATDT\\T TIMEOUT 40 CONNECT"
5 provider:
6 set phone "(0123) 456 7890"
7 set login "TIMEOUT 10 \"\" \"\" gin:--gin: foo word: bar col: ppp"
8 set timeout 300
9 set ifaddr x.x.x.x y.y.y.y 255.255.255.0 0.0.0.0
10 add default HISADDR
11 enable dns
Do not include the line numbers, they are just for reference in
this discussion.
Identifies the default entry. Commands in this entry are executed automatically when ppp is run.
Identifies the device to which the modem is connected.
COM1: is /dev/cuaa0
and COM2: is /dev/cuaa1
.
Sets the speed you want to connect at. If 115200 doesn't work (it should with any reasonably new modem), try 38400 instead.
The dial string. User ppp uses an expect-send syntax similar
to the chat(8)
program. Refer to the manual page
for information on the features of this language.
Identifies an entry for a provider called ``provider''.
Sets the phone number for this provider. Multiple phone numbers may be specified using the ``:'' or ``|'' character as a separator. The difference between these spearators is described in the ppp manual page. To summarize, if you want to rotate through the numbers, use the ``:''. If you want to always attempt to dial the first number first and only use the other numbers if the first number fails, use the ``|''. Always quote the entire set of phone numbers as shown.
The login string is of the same chat-like syntax as the dial string. In this example, the string works for a service whose login session looks like this:
J. Random Provider
login: foo
password: bar
protocol: ppp
You will need to alter this script to suit your own needs. When you write this script for the first time, you should enable ``chat'' logging to ensure that the conversation is going as expected.
If you're using PAP or CHAP, there will be no login at this point, so your login string should be left blank. See PAP and CHAP authentication for further details.
Sets the default timeout (in seconds) for the connection. Here, the connection will be closed automatically after 300 seconds of inactivity. If you never want to timeout, set this value to zero.
Sets the interface addresses. The string x.x.x.x should be
replaced by the IP address that your provider has allocated
to you. The string y.y.y.y should be replaced by the IP
address that your ISP indicated for their gateway (the
machine to which you connect). If your ISP hasn't given you
a gateway address, use 10.0.0.2/0
. If you need to
use a ``guessed'' address, make sure that you create an entry
in /etc/ppp/ppp.linkup
as per the instructions for
PPP and Dynamic IP addresses.
If this line is omitted, ppp cannot run in -auto
mode.
Adds a default route to your ISPs gateway. The special
word HISADDR
is replaced with the gateway address
specified on line 9. It is important that this line appears
after line 9, otherwise HISADDR
will not yet be
initialized.
This line tells ppp to ask your ISP to confirm that your
nameserver addresses are correct. If your ISP supports
this facility, ppp can then update /etc/resolv.conf
with the correct nameserver entries.
It is not necessary to add an entry to ppp.linkup
when you have
a static IP address as your routing table entries are already correct
before you connect. You may however wish to create an entry to invoke
programs after connection. This is explained later with the sendmail
example.
Example configuration files can be found in the /etc/ppp
directory.
If your service provider does not assign static IP numbers,
ppp
can be configured to negotiate the local and
remote addresses. This is done by "guessing" an IP number
and allowing ppp to set it up correctly using the IP Configuration
Protocol (IPCP) after connecting. The ppp.conf
configuration
is the same as
PPP and Static IP addresses, with the following change:
9 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
Again, do not include the line numbers, they are just for reference in this discussion. Indentation of at least one space is required.
The number after the ``/'' character is the number of bits of the address that ppp will insist on. You may wish to use IP numbers more appropriate to your circumstances, but the above example will always work.
The last argument (0.0.0.0
) tells ppp to negotiate
using address 0.0.0.0
rather than 10.0.0.1
.
Do not use 0.0.0.0/0
as the first argument to set
ifaddr
as it prevents ppp from setting up an initial route
in -auto
mode.
If you are running version 1.X of ppp, you will also need to create an
entry in /etc/ppp/ppp.linkup
. Ppp.linkup
is used after
a connection has been established. At this point, ppp will know what IP
addresses should really be used. The following entry will delete
the existing bogus routes, and create correct ones:
1 provider:
2 delete ALL
3 add default HISADDR
On establishing a connection, ppp will look for an entry in
ppp.linkup
according to the following rules: First,
try to match the same label as we used in ppp.conf
.
If that fails, look for an entry for the IP number of our
gateway. This entry is a four-octet IP style label. If
we still haven't found an entry, look for the MYADDR
entry.
This line tells ppp to delete all existing routes for the acquired tun interface (except the direct route entry).
This line tells ppp to add a default route that points to
HISADDR
. HISADDR
will be replaced with
the IP number of the gateway as negotiated in the IPCP.
See the pmdemand entry in the files /etc/ppp/ppp.conf.sample
and
/etc/ppp/ppp.linkup.sample
for a detailed example.
Version 2 of ppp introduces ``sticky routes''. Any add
or
delete
lines that contain MYADDR
or HISADDR
will be remembered, and any time the actual values of MYADDR
or HISADDR
change, the routes will be re-applied. This
removes the necessity of repeating these lines in ppp.linkup
.
This section describes setting up ppp in a server role.
When you configure ppp
to receive incoming calls on a
machine connected to a LAN, you must decide if you wish to forward
packets to the LAN. If you do, you should allocate the peer an IP
number from your LANs subnet, and use the command
enable proxy
in your ppp.conf
file. You should also confirm that the
/etc/rc.conf
file (this file used to be called
/etc/sysconfig
) contains the following:
gateway_enable=YES
Configuring FreeBSD for Dialup Services provides a good description on enabling dialup services using getty.
An alternative to getty is mgetty, a smarter version of getty designed with dialup lines in mind.
The advantages of using mgetty is that it actively talks to
modems, meaning if port is turned off in /etc/ttys
then
your modem won't answer the phone.
Later versions of mgetty (from 0.99beta onwards) also support the automatic detection of PPP streams, allowing your clients script-less access to your server.
Refer to Mgetty and AutoPPP for more information on mgetty.
PPP must normally be run as user id 0. If however you wish to allow
ppp to run in server mode as a normal user by executing ppp as described
below, that user must be given permission to run ppp by adding them to
the network
group in /etc/group
.
You will also need to give them access to one or more sections of the
configuration file using the allow
command:
allow users fred mary
If this command is used in the default section, it gives the specified users access to everything.
Create a file called /etc/ppp/ppp-shell
containing the
following:
#!/bin/sh
IDENT=`echo $0 | sed -e 's/^.*-\(.*\)$/\1/'`
CALLEDAS="$IDENT"
TTY=`tty`
if [ x$IDENT = xdialup ]; then
IDENT=`basename $TTY`
fi
echo "PPP for $CALLEDAS on $TTY"
echo "Starting PPP for $IDENT"
exec /usr/sbin/ppp -direct $IDENT
This script should be executable. Now make a symbolic link called
ppp-dialup
to this script using the following commands:
# ln -s ppp-shell /etc/ppp/ppp-dialup
You should use this script as the shell for all your dialup
ppp users. This is an example from /etc/password
for a dialup PPP user with username pchilds. (remember don't directly
edit the password file, use vipw
)
pchilds:*:1011:300:Peter Childs PPP:/home/ppp:/etc/ppp/ppp-dialup
Create a /home/ppp
directory that is world readable
containing the following 0 byte files
-r--r--r-- 1 root wheel 0 May 27 02:23 .hushlogin
-r--r--r-- 1 root wheel 0 May 27 02:22 .rhosts
which prevents /etc/motd
from being displayed.
Create the ppp-shell
file as above and for each account with
statically assigned IPs create a symbolic link to ppp-shell
.
For example, if you have three dialup customers fred, sam, and mary, that you route class C networks for, you would type the following:
# ln -s /etc/ppp/ppp-shell /etc/ppp/ppp-fred
# ln -s /etc/ppp/ppp-shell /etc/ppp/ppp-sam
# ln -s /etc/ppp/ppp-shell /etc/ppp/ppp-mary
Each of these users dialup accounts should have their shell set
to the symbolic link created above. (ie. mary's shell should be
/etc/ppp/ppp-mary
).
The /etc/ppp/ppp.conf
file should contain something along
the lines of
default:
set debug phase lcp chat
set timeout 0
ttyd0:
set ifaddr 203.14.100.1 203.14.100.20 255.255.255.255
enable proxy
ttyd1:
set ifaddr 203.14.100.1 203.14.100.21 255.255.255.255
enable proxy
Note the indenting is important.
The default:
section is loaded for each session. For each
dialup line enabled in /etc/ttys
create an entry similar
to the one for ttyd0:
above. Each line should get a unique
IP from your pool of ip address for dynamic users.
Along with the contents of the sample /etc/ppp/ppp.conf
above you should add a section for each of the statically assigned
dialup users. We will continue with our fred, sam, and mary example.
fred:
set ifaddr 203.14.100.1 203.14.101.1 255.255.255.255
sam:
set ifaddr 203.14.100.1 203.14.102.1 255.255.255.255
mary:
set ifaddr 203.14.100.1 203.14.103.1 255.255.255.255
The file /etc/ppp/ppp.linkup
should also contain routing
information for each static IP user if required. The line below
would add a route for the 203.14.101.0
class C via
the client's ppp link.
fred:
add 203.14.101.0 netmask 255.255.255.0 HISADDR
sam:
add 203.14.102.0 netmask 255.255.255.0 HISADDR
mary:
add 203.14.103.0 netmask 255.255.255.0 HISADDR
Configuring and compiling mgetty with the AUTO_PPP option enabled allows mgetty to detect the LCP phase of PPP connections and automatically spawn off a ppp shell. However, since the default login/password sequence does not occur it is necessary to authenticate users using either PAP or CHAP.
This section assumes the user has successfully configured, compiled, and installed a version of mgetty with the AUTO_PPP option (v0.99beta or later)
Make sure your /usr/local/etc/mgetty+sendfax/login.config
file
has the following in it:
/AutoPPP/ - - /etc/ppp/ppp-pap-dialup
This will tell mgetty to run the ppp-pap-dialup
script for
detected PPP connections.
Create a file called /etc/ppp/ppp-pap-dialup
containing the
following (the file should be executable):
#!/bin/sh
exec /usr/sbin/ppp -direct pap
Now create a single configuration entry in /etc/ppp/ppp.conf
that will work for all of your incoming calls:
pap:
enable pap
set ifaddr 203.14.100.1 203.14.100.20-203.14.100.40
enable proxy
Each user logging in with this method will need to have a username/password
in /etc/ppp/ppp.secret
file, or alternatively add the
enable passwdauth
option to authenticate users via pap from the /etc/password
d
file.
If you wish to assign some users a static IP number, you can specify
the number as the third argument in /etc/ppp/ppp.secret
. See
/etc/ppp/ppp.secret.sample
for examples.
It is possible to configure ppp to supply DNS and NetBIOS nameserver addresses on demand.
To enable these extensions with ppp version 1.X, the following lines
might be added to the relevant section of /etc/ppp/ppp.conf
:
enable msext
set ns 203.14.100.1 203.14.100.2
set nbns 203.14.100.5
or for ppp version 2 and above:
accept dns
set dns 203.14.100.1 203.14.100.2
set nbns 203.14.100.5
This will tell the clients the primary and secondary name server addresses, and a netbios nameserver host.
In version 2 and above, if the ``set dns'' line is omited, ppp will
use the values found in /etc/resolv.conf
.
Some ISPs set their system up so that the authentication part of
your connection is done using either of the PAP or CHAP authentication
mechanisms. If this is the case, your ISP will not give a login:
prompt when you connect, but will start talking PPP immediately.
PAP is less secure than CHAP, but security is not normally an issue here as passwords, although being sent as plain text with PAP, are being transmitted down a serial line only. There's not much room for crackers to "eavesdrop".
Referring back to the PPP and Static IP addresses or PPP and Dynamic IP addresses sections, the following alterations must be made:
7 set login
.....
12 set authname MyUserName
13 set authkey MyPassword
As always, do not include the line numbers, they are just for reference in this discussion. Indentation of at least one space is required.
Your ISP will not normally require that you log into the server if you're using PAP or CHAP. You must therefore disable your "set login" string.
This line specifies your PAP/CHAP user name. You will need
to insert the correct value for MyUserName
.
This line specifies your PAP/CHAP password. You will need
to insert the correct value for MyPassword
.
You may want to add an additional line
15 accept PAP
or
15 accept CHAP
to make it obvious that this is the intention, but PAP
and CHAP are both accepted by default.
It is possible to talk to the ppp program while it is running in the background, but only if a suitable diagnostic port has been set up. To do this, add the following line to your configuration:
set server /var/run/ppp-tun%d DiagnosticPassword 0177
This will tell ppp to listen to the specified unix-domain socket, asking clients for the specified password before allowing access. The %d in the name is replaced with the tun device number that is in use.
Once a socket has been set up, the pppctl(8)
program may be used
in scripts that wish to manipulate the running program.